Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Needing help getting rid of the Google Redirecting Virus?!


  • Please log in to reply

#1
ikissedyomomma

ikissedyomomma

    Member

  • Member
  • PipPip
  • 35 posts
Help! I have this google redirecting virus; everytime I try to search up anything on google, yahoo, or anything with a search engine, it redirects me to another page! I tried ComboFix, and anti malwarebytes but it didn't remove it. Can somebody please help me? ): Thanks so much!



Here's the logfile from Combofix.



ComboFix 11-04-27.01 - Jessica 04/27/2011 20:31:46.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.658 [GMT -7:00]
Running from: c:\documents and settings\Jessica\Desktop\Comb.exe
Command switches used :: c:\documents and settings\Jessica\Desktop\cfscript.txt
AV: AntiVir Desktop *Disabled/Updated* {11638345-E4FC-4BEE-BB73-EC754659C5F6}
FW: Avira FireWall *Enabled* {11638345-E4FC-4BEE-BB73-EC754659C5F6}
.
FILE ::
"c:\program files\AdvancedVirusRemover\PAVRM.exe"
"c:\windows\system32\AVR09.exe"
"c:\windows\system32\winhelper.dll"
"c:\windows\system32\winupdate.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\TEMP\logishrd\LVPrcInj01.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-03-28 to 2011-04-28 )))))))))))))))))))))))))))))))
.
.
2011-04-28 02:35 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-04-28 02:35 . 2011-03-18 17:53 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-04-28 02:35 . 2011-03-18 17:53 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-04-28 02:35 . 2011-03-18 17:53 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-04-28 02:35 . 2011-03-18 17:53 728024 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-04-28 02:35 . 2011-03-18 17:53 142296 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-04-28 02:35 . 2011-03-18 17:53 1893336 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-04-28 02:35 . 2011-03-18 17:53 1975768 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-04-28 02:00 . 2008-04-14 00:11 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2011-04-28 02:00 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2011-04-28 02:00 . 2008-04-13 18:39 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2011-04-28 02:00 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2011-04-27 03:54 . 2011-04-27 03:54 -------- d-----w- c:\documents and settings\Jessica\Local Settings\Application Data\Identities
2011-04-23 04:52 . 2011-04-23 04:52 -------- d-----w- c:\program files\Frontline Registry Cleaner
2011-04-23 02:37 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-23 02:37 . 2011-04-23 03:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-23 02:37 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-23 01:43 . 2011-04-23 01:43 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-04-21 20:13 . 2011-04-21 20:13 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Mozilla
2011-04-21 20:11 . 2011-04-21 20:11 -------- d-sh--w- c:\documents and settings\user\IETldCache
2011-04-17 18:14 . 2011-04-17 18:14 -------- d-sh--w- c:\documents and settings\Jessica\IECompatCache
2011-04-15 02:43 . 2011-04-15 02:43 -------- d-----w- c:\documents and settings\Jessica\Local Settings\Application Data\SupportSoft
2011-04-15 01:42 . 2011-04-15 01:42 -------- d-----w- c:\program files\TryMedia
2011-04-14 23:35 . 2011-04-15 02:43 -------- d-----w- c:\documents and settings\All Users\Application Data\SupportSoft
2011-04-14 23:33 . 2011-04-15 02:43 -------- d-----w- c:\program files\Common Files\SupportSoft
2011-04-09 20:59 . 1995-08-15 07:00 26992 ------w- c:\windows\system\ctl3dv2.dll
2011-04-08 04:08 . 2011-04-08 04:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Transparent
2011-04-08 04:08 . 2011-04-08 04:08 -------- d-----w- c:\program files\Transparent
2011-04-08 04:07 . 2003-02-27 23:12 696320 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iKernel.dll
2011-04-08 04:07 . 2002-12-05 21:10 155648 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iuser.dll
2011-04-08 04:07 . 2002-12-02 22:22 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\DotNetInstaller.exe
2011-04-08 04:07 . 2002-12-02 20:33 57344 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\ctor.dll
2011-04-08 04:07 . 2002-12-02 20:33 237568 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iscript.dll
2011-04-08 04:07 . 2011-04-08 04:07 282756 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\setup.dll
2011-04-08 04:07 . 2011-04-08 04:07 163972 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iGdi.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-15 00:23 . 2010-09-14 19:43 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-03-07 05:33 . 2009-06-11 17:40 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2006-02-28 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2006-02-28 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2006-02-28 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2006-02-28 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2006-02-28 12:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2006-02-28 12:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2010-09-15 07:41 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2006-02-28 12:00 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53 . 2006-02-28 12:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2006-02-28 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2006-02-28 12:00 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2006-02-28 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58 . 2009-06-11 17:38 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-03-18 17:53 . 2011-04-28 02:35 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( [email protected]_04.44.49 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-04-28 03:40 . 2011-04-28 03:40 16384 c:\windows\Temp\Perflib_Perfdata_258.dat
+ 2010-09-17 22:11 . 2011-04-18 22:46 42181064 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Vid"="c:\program files\Logitech\Vid HD\Vid.exe" [2010-10-29 5915480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-02 281768]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"WEB Framework"="c:\program files\WEB Framework\wbfrmwrk.exe" [2010-04-29 354304]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-05-08 2780432]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\WEB Framework\\wbfrmwrk.exe"=
"c:\\Program Files\\Logitech\\Vid HD\\Vid.exe"=
.
R1 avfwot;avfwot;c:\windows\system32\drivers\avfwot.sys [9/14/2010 12:43 PM 102856]
R2 AntiVirFirewallService;Avira FireWall;c:\program files\Avira\AntiVir Desktop\avfwsvc.exe [9/14/2010 12:43 PM 539304]
R2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\Avira\AntiVir Desktop\avmailc.exe [9/14/2010 12:43 PM 339624]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/14/2010 12:43 PM 136360]
R2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [9/14/2010 12:43 PM 421032]
R3 avfwim;AvFw Packet Filter Miniport;c:\windows\system32\drivers\avfwim.sys [9/14/2010 12:43 PM 79432]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/14/2010 8:20 PM 136176]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
2011-04-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-15 03:20]
.
2011-04-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-11-15 03:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
FF - ProfilePath - c:\documents and settings\Jessica\Application Data\Mozilla\Firefox\Profiles\k1lygot7.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.com
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-27 20:41
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST380011A rev.3.06 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8673B33B
user & kernel MBR OK
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(1036)
c:\program files\Avira\AntiVir Desktop\avsda.dll
.
- - - - - - - > 'explorer.exe'(3620)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\nview.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Completion time: 2011-04-27 20:46:01 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-28 03:45
ComboFix2.txt 2011-04-23 04:47
.
Pre-Run: 8,205,299,712 bytes free
Post-Run: 8,193,970,176 bytes free
.
- - End Of File - - 8A82DA590CBE4926432089D04D6AB966

Edited by ikissedyomomma, 27 April 2011 - 06:49 PM.

  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,194 posts
  • MVP
Download TDSSKiller:
http://support.kaspe.../tdsskiller.exe
Save it to your desktop then right click and Run as Administrator

If TDSSKiller alerts you that the system needs to reboot, please consent.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.

Download

http://ad13.geekstogo.com/MBRCheck.exe

Save it and run it. It will produce a log MBRCheck(date).txt on your desktop. Copy and paste it into a reply.


Ron
  • 0

#3
ikissedyomomma

ikissedyomomma

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
I tried running as administrator, but it wouldn't work, it said

"Unable to log on:

Logon failure: user account restriction. Possible reasons are blank passwords not allowed, logon hour restrictions, or a policy restriction has been enforced."
  • 0

#4
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,194 posts
  • MVP
Oops that was the Vista TDSS fix. Just run it by double clicking.

Ron
  • 0

#5
ikissedyomomma

ikissedyomomma

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Well, shoot. ): I double clicked it, and this message came up...

"TDSS rootkit removing tool has encountered a problem and needs to close. We are sorry for the inconvenience."

I have the choice to 'Send Error Report', or 'Don't Send'.

I clicked Don't Send at first and tried doing it again, but right as it was "Initialization: 80%" it popped up, again.

Should I click 'Send Error Report'?
  • 0

#6
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,194 posts
  • MVP
Don't bother with the error report.

1. Open Avira AntiVir Personal. (There is likely an icon on your desktop, or in your system tray by the clock.)
2. Click the "Configuration" link on the main screen. This opens the configuration panel.
3. Check the "Expert mode" option.
4. Click on General > Security.
5. *Uncheck* the option titled "Protect files and registry entries from manipulation".
6. Click the "OK" button.
7. Reboot your computer.

Pause Avira and try TDSSKiller again.

Ron
  • 0

#7
ikissedyomomma

ikissedyomomma

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
I restarted the computer and got the same message as before and at the same spot as before. I also did pause Avira.
  • 0

#8
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,194 posts
  • MVP
Download the free Avast:

http://www.avast.com...ivirus-download but don't install it yet.

Uninstall Avira. Reboot and install Avast.

Once you have it installed and it has updated:

Click on the Avast ball. Then click on Scan Computer, then on
Boot-Time Scan then on Settings. Change the Ask at the bottom to Move to Chest. OK then Schedule Now. Reboot and let it run a scan. It may take hours.
Once it finishes it should load windows.

Now try TDSSKiller again.

Ron
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP